A common problem has been found by many sites running the Melange Chat
Server (Here on out states as m-chat). M-Chat is a simple IRC like chat
program for private websites. it can be ran from a java script, by using
the browser to connect to the host on port 6666 (hence
www.host.com:6666). However this service also allows for a telnet
session to be connect in order to use the server and here in lies the
problem.
By logging into M-chat through a telnet connection, one is able to
monitor the http connections comming in on that port. In most cases the
person logging on using the browser based chat has their entire header
displayed to any currently in a raw telnet session. Below is a a short
article of this big being put into se on a effect hack.
Source: http://www.oh2600.com/forum/viewtopic.php?t=43
By: Nexus
Background:
What is Aimforum.com?
Aimforum.com Is/Was a rather popular America Online Instant Messanger
Forum. The site has a large gathering of rather intelligent young kids.
However the forum is now seeing hard time......
Why was it hacked?
As such would happen AimForum.com's new onwer did not see eye to eye
with the older vetern members of the Forum. The forum, which was a
underground forum talking about "illegal AIM" activities was converted
over to a open public system with no illegal posts or chatter were
permitted, was bound to cause conflict. After many many member being
banned a few people had decided to take the matter witihin their own
hands and prove a point, which would lead to a call to the
FBI........here is how it was done
Many sites today run a low level chat system known as Melange Chat,
better known as M-Chat which server as a simple inner site IRC server.
Aimforum.com is no different in this matter. A major flaw with M-chat is
that when it is access via a web browser it displays critical cookie
information to anyone witin the server. By simply telneting to
www.site.com:6666 <http://www.site.com:6666> one can site within the
telnet session and wait.......
Step One: Setting the trap
The "Hackers" logged into the M-Chat via telnet. They sat and waited for
their target to get online.......Now once the Admin was online, a simple
IM to him offering a link to www.aimforum.com:6666
<http://www.aimforum.com:6666> was all that was needed, the admin was
sent right to the M-chat port and this cookie and browser header was
then displayed within the M-chat channel.
Step Two: Putting the information to use.
Now that they aquired the admin's header information, it was time for
them to put things into action. They husseled to their firefox directory
(as it was a firefox cookie) and cleared their entire cookie cache, then
would open Firefox, and log into aimforum.com with their own( or a
hacked, didn't matter) account. This would allow them to get the cookie
set. Once the cookie was grabbed they closed firefox, openned the cookie
file and edited the "bbuser" field from 3315(which is the normal user
level) to 419, i think it was(which is the admin user level) and then
changed the "bbhash" from whatever it was they had to the admins hash.
Now with this all done they now have the same cookie information as the
targeted admin did.....It was time for the third and final step
Step Three: Executing the Hack
Having the same cookie information as the said Admin, they simply only
needed to open their Firefox, and direct themselves back to
www.aimforum.com. <http://www.aimforum.com.> And in the instant was
greeted with the "Welcome [Username Removed]" They were in....
Now from here they could have done anything, a simple new thread to say
"blah blah you were explioted" or anything else to prove their point and
get out....But they decided to take a more Destructive approch to their
plans. As the small team of kids went through the newly hacked forum
they began to delete threads, posts and information. Years of topics,
and useful information was gone in minutes. From here the exploit was
done and they felt satisfied, but it was not over, they had to prove
even further that they were "l33t h3x0r d00ds" they created a new
announcement on the forum which was dsiplayed on the front page
annoucnign they(using their handles/usernames) had hacked and owned the
forum.